Man Vs WebApphttp://www.manvswebapp.com
Web Application Security Blog and PodcastThu, 13 Sep 2018 18:40:12 +0000en-UShourly1https://wordpress.org/?v=4.9.7A podcast about web application security, as well as general web application development issues. The primary focus is on security with an effort to explain things so that anyone can understand them since security issues affect everyone across an organization. Hopefully this show will be a resource for everyone involved in a software development project.Dan KuykendallcleanDan Kuykendallmightyseek@gmail.commightyseek@gmail.com (Dan Kuykendall)2006-2012A podcast dedicated to Web Application SecurityMan Vs WebApphttp://www.manvswebapp.com/images/itunescover144.jpghttp://www.manvswebapp.com
mightyseek@gmail.comDig into the world of Application Security with Dan Kuykendall and team.26542430Man vs WebApp Podcast – Episode 05 – New Hosts and BlackHat 2018http://www.manvswebapp.com/man-vs-webapp-podcast-episode-05-new-hosts-and-blackhat-2018
http://www.manvswebapp.com/man-vs-webapp-podcast-episode-05-new-hosts-and-blackhat-2018#respondWed, 12 Sep 2018 21:19:08 +0000http://www.manvswebapp.com/?p=3321[...]]]>This episode of Man vs Web App Podcast marks a significant transition as we introduce two new hosts of the podcast: David Howe and Garrett Gross. We discuss the transition itself, the current state of application security and get an onsite interview from a DEF CON attendee regarding their experience with appsec.
]]>http://www.manvswebapp.com/man-vs-webapp-podcast-episode-05-new-hosts-and-blackhat-2018/feed0This episode of Man vs Web App Podcast marks a significant transition as we introduce two new hosts of the podcast: David Howe and Garrett [...]]]>Dan Kuykendallclean39:383321Man vs WebApp Podcast – Episode 04 – Input and injection fundamentalshttp://www.manvswebapp.com/man-vs-webapp-podcast-episode-04-input-and-injection-fundamentals
http://www.manvswebapp.com/man-vs-webapp-podcast-episode-04-input-and-injection-fundamentals#respondFri, 03 Jun 2016 09:24:31 +0000http://www.manvswebapp.com/?p=3269[...]]]>This week on the Man vs Web App Podcast we delve into the fundamentals of Inputs and Injection. Inputs cross all layers of the entire system, and its important to understand the basics to be able to build on top more advanced or specialized attacking methods.

]]>http://www.manvswebapp.com/man-vs-webapp-podcast-episode-04-input-and-injection-fundamentals/feed0This week on the Man vs Web App Podcast we delve into the fundamentals of Inputs and Injection. Inputs cross all layers of the entire system, [...]find out more about our site
Listen to learn the basics about inputs and injections.]]>Dan Kuykendallclean34:213269Man vs WebApp Podcast – Episode 03 – Out of band attackshttp://www.manvswebapp.com/man-vs-webapp-podcast-episode-03-out-of-band-attacks
http://www.manvswebapp.com/man-vs-webapp-podcast-episode-03-out-of-band-attacks#respondFri, 29 Apr 2016 23:07:10 +0000http://www.manvswebapp.com/?p=3261[...]]]>This week on the Man vs Web App Podcast we delve into the topic of Out of band attacks. These go by various names, such as Out of Order, second order, blind, external service interactions, etc. In this episode Scott Davis takes the lead to discuss the latest research he has been doing in this area.

Listen to learn about these newer category of attacks and learn more about these cutting edge attacking techniques and how you have to build apps that can defend against them.

]]>http://www.manvswebapp.com/man-vs-webapp-podcast-episode-03-out-of-band-attacks/feed0Out of band attacks
Listen to learn about these newer category of attacks and learn more about these cutting edge attacking techniques and how you have to build apps that can defend against them.]]>ManVsWebApp.comclean33:543261Man vs WebApp Podcast – Episode 02 – All about web serviceshttp://www.manvswebapp.com/man-vs-webapp-podcast-episode-02-all-about-web-services
http://www.manvswebapp.com/man-vs-webapp-podcast-episode-02-all-about-web-services#respondFri, 18 Mar 2016 15:58:39 +0000http://www.manvswebapp.com/?p=3256[...]]]>This week on the Man vs Web App Podcast we delve into the topic of Web Services. This includes SOAP, REST API’s or just Web API’s… whatever you want to call them.

Learn about the history of Web Services, how each is different and learn about cutting edge solutions which allow them to become more manageable from a security perspective, and the new search optimization techniques with SEO Long Beach.

]]>http://www.manvswebapp.com/man-vs-webapp-podcast-episode-02-all-about-web-services/feed0All about web services
Learn about the history of Web Services, how each is different and learn about cutting edge solutions which allow them to become more manageable from a security perspective, and the new search optimization techniques with SEO Long Beach.]]>Dan Kuykendallclean34:503256Man vs WebApp Podcast – Episode 01 – Welcome To The Showhttp://www.manvswebapp.com/man-vs-webapp-podcast-episode-01-welcome-to-the-show
http://www.manvswebapp.com/man-vs-webapp-podcast-episode-01-welcome-to-the-show#commentsSun, 28 Feb 2016 01:28:17 +0000http://www.manvswebapp.com/?p=3207[...]]]>Welcome to the Man vs WebApp Podcast!

In this intro episode we do introductions and give a preview of the topics to come.

The Man vs WebApp Podcast is not another “newscast” covering the latest topics in the industry. Instead, in each episode we will focus on a specific Application Security topic and dig into the details with enough description to educate those newer to AppSec, but then we will go deep enough to add new ideas for AppSec pros.

]]>http://www.manvswebapp.com/man-vs-webapp-podcast-episode-01-welcome-to-the-show/feed1Welcome to the Man vs WebApp Podcast! In this intro episode we do introductions and give a preview of the topics to come. The Man vs [...]
In this intro episode we do introductions and give a preview of the topics to come.
The Man vs WebApp Podcast is not another “newscast” covering the latest topics in the industry. Instead, in each episode we will focus on a specific Application Security topic and dig into the details with enough description to educate those newer to AppSec, but then we will go deep enough to add new ideas for AppSec pros.]]>Dan Kuykendallclean33:493207This Blog lives again!http://www.manvswebapp.com/this-blog-lives-again
http://www.manvswebapp.com/this-blog-lives-again#commentsThu, 18 Feb 2016 07:54:25 +0000http://www.manvswebapp.com/?p=3222[...]]]>During the last year this blog (and podcast) was put on hold to deal with the acquisition of NT Objectives by Rapid7. I was highly occupied with the effort of the acquisition itself, then the effort to merge and integrate our team and products into Rapid7. I am still very busy, but I have been dying to get back to blogging and podcasting, so I have been working out some time on my schedule to do just that!

Keep your eyes and ear tuned to this site as many new blog posts and podcasts will be heading your way!

Incase you noticed the missing content… Some of the content from this blog was moved over to our space on the Rapid7 Blog and some of the old NTO specific content has been removed altogether.

]]>http://www.manvswebapp.com/this-blog-lives-again/feed23222OWASP AppSec California Recaphttp://www.manvswebapp.com/owasp-appsec-california-recap
http://www.manvswebapp.com/owasp-appsec-california-recap#respondThu, 29 Jan 2015 18:44:25 +0000http://www.manvswebapp.com/?p=3010[...]]]>I spent the week at OWASP AppSec California in Santa Monica and had a great time! This is the 2nd year of having the event at this location, and even as a southern California native, it is a beautiful location. There were a good number of people from the east coast that I didnt see at AppSec USA last September. I can imagine for those that need to choose one or the other, its an easy choice to turn down Denver in September in favor of southern California beaches in January!

I thank all the organizers for their hard work and for lining up a great roster of speakers. It was a very good event!

Monday

On Monday the great folks at Riot Games invited the speakers to a tour of their offices and a chance to play League of Legends in their in-house PC bang. When I got the invite, I asked Angela if I could bring my 16yr old son with me, and she said yes. I got very happy about this because, I saw on source: gamingbuff.com that LoL was the most played and popular game right now! My son has been taking Comp Sci classes in school and is interested in software development, so I figured it would be a great chance for him to what its like to be a game developer at one of the hottest gaming companies in the industry that made games for the latest processor as the new amd from the fx 6300 review. Not to mention, its a good chance to make his League of Legends friends jealous. The tour was very cool, and both my son and I were really impressed. He made me laugh when he commented on all the beers covering the developers desks!

After the tour we headed into the PC Bang to play LoL and got some coaching from the Riot games staff. I was able to hold my own well enough, but my son was “The Carry” and lead us to victory! Nice job Matthew

PC Band at Riot

Tuesday

I had planned to be at the conference nice and early to hear the keynote, but after my 3 hour drive home on Monday night, I needed to work on my slides for Wednesday, so I waited till traffic died down. So I didn’t arrive till a little after noon, and as a result, I regretfully missed Alex Stamos’s keynote, which I heard was very good. I also missed “Fixing XSS with Content Security Policy” by Ksenia Dmitrieva which was later referred to in several other talks, which made me feel like I I better go back and watch both of these talks when released on video when it gets posted.

12:00: I arrived in the middle of the noon sessions, and couldn’t make a choice between “No Better ROI: HTTP Headers for Security” by Caleb Queern and “Hacking Management: Why Stop at Domain Admin?” by Adam Brand, so I ended up heading to lunch a little early and taking the opportunity to chat with some old friends and meet a few new ones. I also later asked each for the short version of what they covered, and now have 2 more talks to add to my video queue.

1:45pm: “Levelling up an application security program” by David Rook from Riot Games – I really enjoyed David’s talk and the way he has lead the security team at Riot to create an open culture at Riot where the developers are able to have security come alongside them and they help the developers at the pace of their interest. It seems to be a much better approach than how many organizations end up shoving security down developers throats.

2:45pm: “API = Authentications Poorly Implemented” by Zach Lanier from Accuvant – Sadly it wasn’t a onesie, but Zach wore the awesome sweater! I enjoyed seeing someone else talking about this web service issue, and Zach had several really good examples of vulnerabilities/exploits that have been publicized recently. He also did a great job covering WSDL 2.0 for REST, WADL and Swagger. I might have to steal his slides!

4:15pm: “Making SSL Warnings Work” by Adrienne Porter Felt – I did ask her about the topic of security notification for mobile apps (analogous to how browsers show a lock icon to let users know the site is using encryption). She said her preference would be to disable unencrypted communication in android altogether! Someone move her from Chrome to the Android project!! Her talk was even more interesting than expected. I really had never considered the challenges with SSL Warnings. I really suggest watching this if you get a chance.

As I still had some significant work to do on my slides and prep for Wednesday, I decided to skip the 5:15pm talks and home at 5:30pm. Of course I ended up in another 3 hour journey home and was reminded how lucky I am to be able to telecommute most of the time.

Wednesday

I actually ended up driving in early and arrived at 9am. However, I still needed to make some last minute improvements on my presentation, so I sadly had to skip Katie Moussouris‘s keynote. I’m sure she great, and its another for my video queue.

10:30am: I had planned to watch “Chrome Security Health & Wellness” by Parisa Tabriz but there was nowhere to sit that had a power outlet, and I was still working on my presentation. So I moved over to “Caspr and Friends (Content-Security-Policy Reporting and Aggregation)” by Stuart Larsen and got a nice place by an outlet. This worked out because I had missed out on Ksenia Dmitrieva‘s talk the day before, so I was eager to hear some CSP talk. The product that Stuart created looks very useful, and really makes it possible to start doing useful analytics on CSP data.

11:30am: With my sides complete and my live demo environment actually working, I did my first showing of “Hackazon – Stop hacking like its 1999”. The talk was well attended, there were some great questions at the end and overall I think it went well.

Lunch – Another fun time hanging out with old and new friends. We got to discuss the history of WebGoat and OWASP with Jeff Williams, and of course Jim Mainco had to pop in for a sales pitch!

2:00pm: “Building a Modern Security Engineering Organization” by Zane Lackey from Signal Sciences – I only watched the first half of Zane’s talk, and not because I wasn’t enjoying it, the talk was going great. But I couldn’t stomach the idea of another 3 hour drive home, and decided to leave early to get a jump on the traffic. So I headed home, and was able to get home in an 1 1/2 hours! Much better.

I hope the organizers post the videos soon, because I am eager to see Matt Tesauro’s talk as well as Charlie Miller’s closing keynote. There are a few others that I need to watch, including the one about SQLViking, which I spoke with Ken Toler about, and his work and tool look very interesting. Greg Foss’s talk about Wi-Fi Hacking, which I saw a couple parts of, and spoke with him about… he’s doing some very interesting research and hopefully I will be able to spend some time with him to learn more.

I thank everyone for making the event such fun. I am sorry I cannot mention everyone and all the great talks, but I will say that this is a conference I highly recommend and its well worth watching every talk from this years event and start making plans to be there next year!

]]>http://www.manvswebapp.com/owasp-appsec-california-recap/feed03010C’mon back to Cali! OWASP AppSec California This Week!http://www.manvswebapp.com/cmon-back-to-cali-owasp-appsec-california-next-week
http://www.manvswebapp.com/cmon-back-to-cali-owasp-appsec-california-next-week#respondFri, 23 Jan 2015 22:02:28 +0000http://www.manvswebapp.com/?p=3001[...]]]>I’m looking forward to seeing everyone next week at OWASP AppSec California in Santa Monica and hearing some of the great talks planned, but I’m mostly interested to see if Zach Lanier wears the same fabulous onesie (It’s probably a sweater, but I’m holding out hope that its a onesie) he is wearing in his profile picture.

I’m speaking on Wednesday at 11:30am, I’ll be demonstrating the new vulnerable test app, Hackazon. Join me for “Hackazon – Stop hacking like its 1999”. If you will be attending the conference this year, please find me and tell me what you were hacking in 1999!

I was excited to see that there are more and more women speaking at these security conferences. Here is a list of the women speaking next week.

Well, what seemed like a lot is actually only about 11% (6 out of 56). Even so its great progress considering that a few years ago having even just one was great to see.

There are many great talks, and for some hours there are some tough choices to make. The only easy choice is Wednesday at 11:30am. Here is my planned schedule for the conference.

Tuesday

9:30am: Opening keynote by Alex Stamos from Yahoo. I’m actually planning to arrive on time for a conference for the first time in my life, just to hear this keynote from Alex.

11:00 am: “Fixing XSS with Content Security Policy” by Ksenia Dmitrieva from Cigital. It looks like Ksenia can dance circles around most of us when it comes to CSP, so I am looking forward to learning from her.

1:45pm: I am looking forward to hearing about “Levelling up an application security program” by David Rook from Riot Games. [I will even try to refrain from playing League of Legends while hes talking].

2:45pm: Hoping to see an awkward onesie, I will be sitting in on “API = Authentications Poorly Implemented” by Zach Lanier from Accuvant who I mentioned previously. I really hope he discusses solutions such as WSDL 2.0 for REST, WADL and Swagger.

4:15pm: “Making SSL Warnings Work” by Adrienne Porter Felt (https://twitter.com/__apf__) from Google. Adrienne is part of the Chrome security team, and I’m sure this will be centered around SSL for web browsers, but I would like to ask her about the topic of security notifications for mobile apps as well.

5:15pm: This is another tough choice for me. I am interested in “The Savage Curtain : Mobile SSL Failures” by Tushar Dalvi and Tony Trummer from LinkedIn. But I am not sure I can handle two straight hours of SSL talk, I am curious how their “attack” differs from the one presented by Yair Amit and Adi Sharabani at AppSecUSA 2014, “Mobile Security Attacks: A Glimpse from the Trenches.”

My alternate option will be “We All Know What You Did Last Summer: Privacy and the Internet of Things” by Ken Westin from Tripwire. I am a huge fan of the IoT topic, and this looks like an interesting aspect of it.

Wednesday

9:30am: Opening keynote by Katie Moussouris. OK, I think Katie is awesome, but there’s probably no chance I will get up early enough two days in a row to fight rush hour(s) traffic (driving from Orange County) to be able to see this one.

10:30am: I will likely be trying to do last minute work on my slides, but will likely either sit in on “Chrome Security Health & Wellness” by Parisa Tabriz from Google. The other talk that looks interesting is “Caspr and Friends (Content-Security-Policy Reporting and Aggregation)” by Stuart Larsen from MTU if I am up for more CSP after Ksenia’s talk on Tuesday.

Dont be tempted to check out any other talk during this hour, because rest assured you wont miss anything! Jim Manico will just be waxing poetic about SSL hacks and how doomed we all are. Patrick Wardle will just be talking about that old mobile crap that only *everyone* is interested in. And Jeff Williams will just be making brilliant points about applying CI concepts to security. Boring! (j/k)

2:00pm: “Building a Modern Security Engineering Organization” by Zane Lackey from Signal Sciences.

The alternative is “How Building a Better Hacker Accidentally Built a Better Defender” by Casey Ellis from Bugcrowd. I think these bug bounty programs are a very interesting new option for finding vulnerabilities.

3:00pm: “DevOps, CI, APIs, Oh My!: Security Gone Agile” by Matt Tesauro from Pearson. Matt is a sharp guy, and I have appreciated his work since his days at Rackspace, so I am looking forward to hearing Matt’s view on this topic that I have been focusing alot of our companies efforts on.I think this is a critical piece of the security puzzle. Unfortunately I will have to miss out on the SQLViking talk, but look forward to getting my hands on that tool (plus some free time).

4:00pm: “Why Do We Suck at Infosec?” by Charlie Miller from Twitter. I appreciate these chances to step back from our good efforts to examine some of the stupidity we have accepted as baseline practices. Sometimes those baselines are facts we have to deal with, but sometimes we need to simply look at the problem differently and adjust accordingly.

]]>http://www.manvswebapp.com/cmon-back-to-cali-owasp-appsec-california-next-week/feed03001AppSec Cali: Hackazon – Stop Hacking Like It’s 1999!http://www.manvswebapp.com/appsec-california-hackazon-stop-hacking-like-its-1999
http://www.manvswebapp.com/appsec-california-hackazon-stop-hacking-like-its-1999#respondFri, 23 Jan 2015 21:05:13 +0000http://www.manvswebapp.com/?p=2990[...]]]>I’m looking forward to reconnecting with everyone next week at AppSec California. I hope you’ll join me for my talk, Hackazon – Stop Hacking Like It’s 1999! In this talk, I’ll give a detailed overview of Hackazon, a new open source vulnerable web application that reflects the technologies used in today’s rich client and mobile applications. Hackazon is an on-line storefront that has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.

During this talk, we’ll take the time machine back to 1999 to review what kinds of application security issues we were GETing and POSTing about in 1999. Then we’ll come back to present day times to see how our security testing tools have changed (or haven’t) to keep up with today’s dynamic applications.

The IT security community has really been lacking the tools needed to train and test our teams to secure modern web and mobile applications as well as the rapidly proliferating web services. While the industry has been using test applications to enable penetration testers to build skills and evaluate testing tools, most of the vulnerable test applications (WebGoat, DVWA and Hackme Casino) simply don’t reflect today’s applications. Even though Google’s new Firing Range test app from Google is a handy “test bed” style application, it is also based on a mostly web 1.0 environment. Hackazon fills the gap between today’s applications and yesterday’s vulnerable test ones.

Security testing is a game of coverage. When large portions of applications go untested, there is too much unknown risk. Unknown risk is what keeps security professionals up at night. Security teams today are responsible for mobile applications, rich client interfaces and RESTful interfaces that are too frequently going untested. Its time for that to change.

Hackazon is a much needed tool that enables security experts to actually learn to test the applications they are now responsible for in today’s world.

This year’s champion dominated the season and entered the playoff’s as the #1 team with 10 wins and only 3 losses. He won the season by making bold moves on the waiver wire, with 40 transactions and ending the season with only four of his original 15 drafted players! His pickup of Odell Beckham Jr proved to be the critical pickup that carried him through the playoffs to become champion of the 2014 Hackers Only – Fantasy Football League!

I announce your CHAMPION…………….. DAN KUYKENDALL!!! <roar of the crowd/>

The final game looked like more of a blow out than it really was. Even after Alan Shimel made some smart last minute roster changes, he really lost due to “bad Luck”, with his QB. Andrew Luck had the worse game of his career and so insanely out of character that it has been called “the worst fantasy performance ever” by Matthew Berry. Andrew Luck has averaged 31.82 points per game, but Luck-ily for me only had 2.36 this week. Had Luck put up an average week Alan would have been walking home with the trophy!
Btw, in my last weeks post I talked about my concerns with QB Philip Rivers as a big concern, so I ended up benching Rivers after all these weeks of suffering his low point games, only to have him earn the most points for the entire season!

Fantasy Football, ultimate game of “what ifs” – Dan Kuykendall

In any case, I am the champ! I am redeemed from my terrible 11th place finish from last season, and now I am the CHAMP! GO GO NTO!

Dmitriy went all Beast Mode on Kenny!! Despite having two of his players put up ZERO points, Dmitriy could have beaten Kenny with ZERO points from four more of his players. Last week I predicted that Aaron Rodgers would take out his frustration over last weeks performance out on the terrible Tampa Bay Bucs. The problem was that the Bucs didnt fight back, and eventually Rodgers didn’t have to play hard to beat them. In addition to that, Kenny made some bad roster choices and just fell flat.

Billy lived by the Peyton and has died by the Peyton! Newcomer Joe has defeated last seasons champ by a super narrow 0.68 points. This match up was decided during the Sunday night game between the Denver Broncos and Cincinnati Bengals. Joe’s Defense was picking off Peyton repeatedly, and Jeremy Hill was on fire. I thought the game was going to turn against Joe when Hill fumbled, but it did little to slow down the points he was racking up. In the final minutes, it looked like Peyton would drive down the field to secure a win for Denver and Billy, but it was not to be. Peyton threw a terrible final pick six that cemented the loss for Denver this week, and the same for Billy.

As predicted, David walked all over Matt Jo. In fact I am fortunate that David had such a bad matchup in the first round of the playoff’s because he was this weeks highest scoring team. Matt put up a respectable score and went out fighting. The mismatch was most highlighted by each teams QB spot, with David having Seahawk Russell Wilson who decided to act like his teammate and go Beast Mode on the unfortunate Arizona Cardinals.

Season Review

This has been a great season! I have really enjoyed the banter this year, and hope that next year we can add more teams and get more twitter discussion during the season. I am sad the season is over, and can only console myself with the anticipation of whats looking to be a wild and crazy NFL playoff battle in the weeks ahead.

I will be working on details for the RSA meet up, and will make sure everyone knows the time and location so we can share drinks and stories about the season. I will also be at AppSec California, so reach out if your going to be there.

For now I wish you all a Merry Christmas and a Happy New Year!!

]]>http://www.manvswebapp.com/hoffl-2014-championship/feed02977HOFFL 2014 Playoffs Week 2http://www.manvswebapp.com/hoffl-2014-playoffs-week-2
http://www.manvswebapp.com/hoffl-2014-playoffs-week-2#commentsWed, 17 Dec 2014 19:25:18 +0000http://www.manvswebapp.com/?p=2967[...]]]>The season is nearly over, and this week was exciting sets the stage for an interesting final week.

Playoff week 2 winner bracket review:

This week we had an NTO vs NTO matchup. As the number one seed I was the easy favorite, but given the way Dmitriy rolled over @BillyAustintx ‘s #2 team in the first round of the playoffs, I was worried. It turned out that I had plenty to worry about, because I was one mouse-click from losing! On Sunday morning it was announced that San Diego Chargers running back Ryan Mathews would be out with an ankle injury. Lucky for me, Dmitriy did not notice this while on vacation, and he did not swap in his Colts running back, Daniel Herron. Had he done so, he would have an extra 7.20 points, which would have been enough to give him a one point lead and the victory!

It should never been that close, but several players on my team had terrible weeks, and I was only saved by the studly Odell Beckham Jr. As a side note, that same Odell crushed me in my church league where I was also the #1 seed and ended up losing to the #8 seed. Fantasy football can be so cruel at times.

These teams looked very evenly matched and I said it would be a toss up, and it was. Like in the previous game, the score was close, but this time both teams did terrible! Alan Shimel just did a little less terrible and snuck away with the win. Kenny suffered the fate of so many fantasy football players this week, to have the misfortune of being in the playoffs when Aaron Rodgers has his worst fantasy game of his entire career. Ouch!

Both of these teams were newcomers to the league and did amazingly well, and both were a hair away from the championship game. Both teams also have the potential to outscore the championship teams this week, but for all that, they will only win 3rd place. I have a feeling that Dmitriy is in trouble because Aaron Rodgers is pissed about last week and is going to take out his frustrations on the terrible Tampa Bay Bucs.

It has come to this… the final against my buddy Alan Shimel!
I am not taking any comfort in his score from last past week, because it was a fluke. He has had 5 weeks with 130 points or more, and has some tremendous play makers on this team. His QB, Andrew Luck, is a monster and has had 4 weeks with 40+ points and only one week with less than 20! My QB, Philip Rivers has never gone above 36 points, and has had 6 weeks with less than 17 points. Alan has an advantage with his RB’s, but I have a killers row of WR’s (O. Beckham Jr, Megatron, Randall Cobb) and Gronk at TE. This week can hinge entirely on whether or not DeMarco Murray is held out because of his hand injury surgery, which would mean I can start Joseph Randle to strengthen my RB lineup.

Sorry Shimey, but your going down!!

Playoff week 2 consolidation games:

The closest game of the week nearly saw Billy lose to the worst playoff team after losing the next to worst last week. Matt should have won, but I think he gave up on his season when he left Andre Johnson (out with concussion) in his starting line up and leaving Antonio Brown on his bench. Those extra 14.30 points that should have been, would have given the bearded one a shot at 5th place. Billy crushed the league all last season, and all this season he rode the Peyton Manning freight train to great results… up till the playoff weeks when Peyton decided his arm was tired and it was easier to just hand the ball to CJ Anderson. In any case, Billy eked out the win and has a shot at 5th place.

Joe had the highest score of the week, but it only earns him a shot at 7th place. I am fortunate that last week Drew Brees played so terribly, and Jeremy Hill waited an extra week to show how much better he is than Giovani, otherwise I would have faced Joe this week and gotten crushed. David’s team just sort of fizzled. There was no key player that failed… its was just a shared under-achievement by his team that left him unable to compete. Farewell David!

Billy is in trouble. Peyton isn’t playing well, and its possible that DeMarco Murray will be out, which leaves Billy with long odds against Joe this week. Joe is stacked with players that need to win this week, and Drew Brees, Colston and Graham are going to put up points against Atlanta, and Jeremy Hill is looking unstoppable.

I call this one for David. WhiteHat looks like they will have to settle with just being happy to make the playoffs, kind of like the Bengals do every year.

Check back next week for the final wrap up, and my gloating or whining based on the results.

]]>http://www.manvswebapp.com/hoffl-2014-playoffs-week-2/feed12967HOFFL 2014 Playoffs Week 1http://www.manvswebapp.com/hoffl-2014-playoffs-week-1
http://www.manvswebapp.com/hoffl-2014-playoffs-week-1#respondFri, 12 Dec 2014 20:26:04 +0000http://www.manvswebapp.com/?p=2953This season of the Hackers Only Fantasy Football League (HOFFL) has been great. We have had some crazy results and many surprises throughout the season. The regular season is over, so its time to give a summary of how the season went as well as covering the first week of the playoffs.

Season and playoff week 1 review:

12th place (2-11): I am surprised by the decline of @SecBarbie this season. Last year, she squeaked into the playoffs as the 8th place team and lost in the first round against the eventual league winner @BillyAustintx. This year she came in last place with only two wins. Ouch!

11th place (3-10): Newcommer, Ken Pfeil tried hard to secure the last place record by closing out the season on a 7 loss streak, but it wasn’t enough to catch up (down?) to @SecBarbie and he ended the season with one more win than her.

10th place (4-9): Sadly, my good buddy Micheal Farnum (@m1a1vet) ended well below last years 4th place record where he made it all the way to the semifinals. Despite having Tom Brady and Dez Bryant on his team, he just seemed to have terrible luck all season with several close losses. Maybe next year buddy.

9th place (4-9): Despite having two managers, @Patrick_Adam and @LCarsten couldn’t help but to follow their fellow Texan to the bottom. Last year, the Hash Crackers ended as the 3rd place team after beating Farnum in the final week, but now they couldn’t even get to the playoff’s.

8th place (6-7): The newcomer with the best beard, @MattJay, did well for himself to make it to the playoffs. Despite drafting a decent team, his players just failed him. On top of that, he had the misfortune of having his best week of the season in week 8 when he faced me, and still lost 126.30-149.98. At least he has the best beard, no doubt because he uses the best beard oil.

Playoff week 1: As the last place team to make it to the playoffs, he had to face the first place team (yep, thats me) in an epic NTO vs WhiteHat showdown. His team couldn’t take the heat, and he went down to defeat! GO GO NTO!

7th place (6-7): Another NTO’er joined the league this season, and despite having almost no football watching experience, did very well. Dmitriy (@dmk1492) started strong with an exceptional draft, then proceeded to have a wacky win-loss-win-loss-win-loss season. He made some crazy roster changes and pickups that I questioned and recommended against, only to have his picks work out amazingly for him. He even scraped out a win against me in week 9! I wasn’t too happy about that! Arg!

Playoff week 1: His record placed him against the 2nd place team and last seasons king, @BillyAustintx. As the heavy underdog he pulled off the biggest shocker of the season by wiping the floor with Billy in a 159.88-77.62 blow out of the week!!! Wow… wow… wow. This is fortunate for me, as I was worried about playing Billy in the finals. However, Dmitriy faces me for week 2 and I can only hope he will resume his win-loss-win-loss pattern. GO GO NTO!

6th place (7-6): As with last season @frenchdc hung well in the middle of the pack and had another winning season, in large part due to an easy final schedule where he faced the 3 last place teams.

Playoff week 1: Misfortune befell David with his paring in the first week where he had the 3rd highest scoring team of the week, but his opponent had the 2nd highest score. Bummer.

5th place (8-5): Another newcomer with a strong season is @JoeSanders02 who helped to show that I was able to find some good new players this season. The most memorable week for him was week 8 where he won with an insanely narrow margin of 118.84 – 118.78 on poor Ken’s best score of the season.

Playoff week 1: Sadly Joe had his worst score of the season and the 2nd worst from any team all season, with only 51.90 points. Good luck against David in week twos consolidation bracket.

4th place (9-4): Once again @ashimmy is among the leaders and only dropped one spot from last seasons 3rd place for the regular season. He was well served by Andrew Luck, Jamaal Charles and Emmanuel Sanders… monster team.

Playoff week 1: Unlike last season where Alan was ousted in week one of the playoffs, he did not score well, but up against Joe’s terrible score Alan is moving on to the semi-finals against a dangerous Kenny as the 3rd & 4th place teams do battle.

3rd place (9-4): Now for the final and best newcomer, we have @glumdragonfly aka Kenny. Apparently he is not only a great web app sec guy, but no slouch at fantasy football! Kenny was rolling strong during the end of the season winning 7 out of 8 final games. That one loss was a narrow loss against my dominate team.

Playoff week 1: Kenny had the 2nd highest scoring team in the first week to help him roll over David. As previously mentioned, he faces Alan Shimmy this week in a toss up match. Good luck to you both!

2nd place (10-3): Last seasons king, @BillyAustintx was rolling strong once again, with Peyton Manning and Julius Thomas helping him dominate most weeks. Billy and I faced off twice this season with Billy winning the first, and me winning the second. We had a tied record but I had a higher total points for the season.

Playoff week 1: I had fully expected (with dread) to face Billy in the fantasy super bowl, but no one could have guessed that Peyton Manning and Julius Thomas would have their worst week of the season, dragging down Billy into the consolation bracket. Nice work Dmitriy!

1st place (10-3): Yours truly @dan_kuykendall is the comeback of the year winner!!! After the humiliating 11th place finish last season in the league I started, I have returned the world its proper order. My wide receiver core of Calvin Johnson, Randall Cobb and Odell Beckham Jr had fun with my TE Gronk to slice and dice my way to the top of the ranks. I will note that I had a shocking loss to Dmitriy in week 9… which is a concern.

Playoff week 1: As expected I had an easy win against @MattJay (GO GO NTO!), but I did not have the kind of score that I will need going forward. For week 2, I am matched up against the surprisingly dangerous Dmitriy who beat me in week 9, as I mention, and who served up a smack down to Billy last week. Wish me luck!

[Tip for Dmitriy, maybe you should bench Le’Veon Bell this week when you play against your boss]

Well, its been a fun season and I hope you all stay tuned to find out how the season ends.

For those in the league and following the season, I hope to see you all at RSA 2015!

]]>http://www.manvswebapp.com/hoffl-2014-playoffs-week-1/feed02953Mass Scanning the Internet – DefCon 2014 (Talk Summary)http://www.manvswebapp.com/mass-scanning-the-internet-defcon-2014-talk-summary
http://www.manvswebapp.com/mass-scanning-the-internet-defcon-2014-talk-summary#respondThu, 11 Dec 2014 21:13:48 +0000http://www.manvswebapp.com/?p=2940This talk, Mass Scanning the Internet at DefCon 22, piqued my interest as we at NTO are very fundamentally concerned with gathering massive amounts of security assessment data from a web application and so a perennial nemesis for us is memory management. So reading the brief, I thought, wow, these guys (Rob Graham, Paul McMillan, Dan Tentler) are scanning the whole internet. I might get some memory management ideas. Well, jumping ahead a little, the bottom line is: their tool isn’t too picky about every single connection succeeding or storing every last little bit of information gleaned from every successful port connection. The tool basically just blasts out a massive number of requests in a hugely parallel fashion and then notes what comes back. So what was I expecting, magic? One never knows. Oh well, so I didn’t discover how to cram terabytes of information into a 2gb process space but the talk was interesting anyway. This is not a denigration of their tool by the way, just an account of how vague expectations do not bottom line sometimes. In fact, it sounded like there was some very interesting engineering in the tool.

So, on to that. The spirit of this tool is to go get as much low hanging fruit as possible and it turns out (no surprise) there is quite a bit of it. Heartbleed, D-link router vulnerability, SSL in general. One can also survey all SSL certs in use… interesting one there. As it is port and IP scanning, it is not reliant on spidering, search engines, DNS, or any similar toehold-and-fanout techniques. The deepnet (or is it darknet, I keep hearing both) is illuminated by this tool. Using the tool in banner grab mode turns up loads of hackable LHF apparently. The speakers indicated that companies such as Siemens can turn out to be rather vulnerable when you scan them using these techniques. One point that is perhaps the most seminal implicit point of this talk is that we (security professionals), and myself in particular, are heavily steeped in web application/service security and tend to get monomaniacal to that effect but let us not forget that port scanning and hardening systems w.r.t. port-based service vulnerabilities, though we may tend to think if it as “last generation,” is still highly valid to be doing.

The speakers went on to talk about something I never really thought about, but it is quite worth thinking about… that of packet overhead and how billing is assessed. Of course TCP/IP packets have overhead but apparently some ISPs charge for gross bandwith utilitization versus others that charge for the content (minus the overhead). And the speakers indicated that if you do this mass scanning the internet stuff, you will incur the wrath/indignation of the ISP and possibly the organization(s) you are scanning. No great revelation that, but we all have probably done the naive thing of “hey that’s cool, I’m going to try it” and then later, “hey whoa, don’t overreact there, I didn’t mean anything by it,” with something like this. They recommend making an exclude list with, e.g., the DoD and similar organizations in it. Then they personality profiled the typical complainer… they tend to have an attitude, they tend to be kind of stupid technically. The speakers recommended paying shady VPS providers with bitcoin as a way of running scans without getting shut down by complaints, as said providers are well accustomed to that model, wink wink nudge nudge.

They then detailed how MassScan works as compared to Nmap. Basically what I said previously… massively parallel, blast out as many requests without being picky about what comes back. Banner checking seems to be the most potent assessment you can do with this tool apart from the implicit assessment value of finding out what exists on the internet. They then went on to present some data they gathered, such as 300,000 systems still vulnerable to Heartbleed as of July 2014. They talked about scanning mainframes. That reminds me of another talk I attended about how juicy mainframes can be precisely due to their being as old-school as they are.

And so that is what they presented in this talk. I come away with a renewed respect for port scanning; it’s not all just the web.

]]>http://www.manvswebapp.com/mass-scanning-the-internet-defcon-2014-talk-summary/feed02940Taking Aim at Google’s Firing Rangehttp://www.manvswebapp.com/taking-aim-at-googles-firing-range
http://www.manvswebapp.com/taking-aim-at-googles-firing-range#respondSat, 22 Nov 2014 00:52:37 +0000http://www.manvswebapp.com/?p=2917[...]]]>This week a developer from Google released a new vulnerable test app named “Firing Range” which I have been digging into for the last few days. This has been of particular interest because of course I work on the best web scanner on the market, NTOSpider. And also because I have spent many months over this year working on a new test app called Hackazon.

Over the years, I have spent time reviewing all the existing test apps from the great OWASP VWAD list and each certainly has their strengths and weakness, but all are useful. Maybe I will spend time breaking down each test app in the future, but for today I am going to discuss the newest entrant from Google.

Firing Range – What It Is

Firing Range is a “test bed for Web application security scanners that provides coverage for a wide variety of cross-site scripting (XSS)” vulnerabilities and according to Google security engineer Claudio Criscione “they needed a testbed with which [to] analyze current and future scanning capabilities.” In addition, according to Google,

Firing Range “predominantly looks for XSS bugs, but there are other vulnerabilities it can find as well. It differs from previously available tests for XSS scanners in that it doesn’t try to emulate all the possible attack scenarios in a specific application. Instead it relies on automation based on a collection of unique bug patterns drawn from in-the-wild vulnerabilities observed by Google.”

Firing Range – What It Is Not

It is not a “fake site” type of test app or a CBT (computer based training) type of app. A “fake site” is one that is intended to look like a real site, but with vulnerabilities intentionally sprinkled about. Well-known examples of fake site test apps are Hackme Bank/Casino/Books. The CBT test apps are geared toward teaching about web security and usually help walk the user through the process of understanding the various types of attacks and letting them try the attacks, examples of a CBT type of app would be WebGoat.

Firing Range – What It’s Good At

Firing Range is specifically focused on one of Google’s biggest concern, which is Cross-Site Scripting (XSS) attacks and it enables testing for a great number of possible XSS attacks. It is not a complete list, but it is damn close and is the best collection of tests I have seen in one place. Firing Range is nicely organized with a sort of self documenting file structure so its generally clear which attack will work based on the directory/filename.

Un-Realistic Scenarios

While there are some benefits and nice features of Firing Range, many of the tests are highly impractical and unrealistic. While Google claims that it wanted to represent vulnerabilities that are seen “in the wild,” the way the vulns are implemented makes it unlike anything seen in the wild. Here are some examples:

Lets looks at /tags/meta?q=a where you attack the ‘q’ parameter on the URL.

Notice that the responses to request 1 & 2 are just “Invalid input, no tags” and the input value does not reflect in the response. Normally when a pen tester is doing a XSS attack, the first thing he/she would do is figure out if the input will “reflect” or show up in the response. If it does, then the pen tester would begin the process of trying different XSS payloads, and if it doesn’t reflect the pen tester might still do a handful of attacks to see if it causes an error response that has the reflection taking place. So you only want to do extensive testing if you’re dealing with a reflection point and avoid having to blast every input with hundreds or thousands of possible attack variations. When using an automated scanning tool, this helps significantly reduce scanning times while still maintaining high quality results.

In the following request #3, we see that if we send a <meta> tag that it gets detected and then reflected after some HTMLTidy work is done to it. Notice the y now has quotes around it and the tag is properly closed. So not only does it only reflect when you send the attack it wants, but it also makes changes to your attack payload which can make it hard to detect if your attack injection is showing up as expected (could trick regex you may be using).

This is just one example among many that make it less than ideal as a scanner test site, because its likely that a dumb slow scanner could do well on this site, but scanners using smarter approaches will end up struggling because of the unrealistic situations replicated.

Does This Mean Firing Range Is Bad?

Not at all, and in fact I am really excited about most of Firing Range. I will counter my previous criticism with a big compliment that the structure of the test bed is well organized and generally well conceived for the specific tests it covers. I imagine that there are reasons that it would be hard to make sure that each page only allows the specific attack its supposed to be vulnerable to, such as meta tag but not any other attacks. The way the developer, Mr. Criscione, accomplished this was a logical convenience for him but leaves room for improvement.

Firing Range has proven useful to us already as it has already helped us uncovered some things we needed to do better with our scanner, and we have already started to use to improve some of the routines and tests in our scanner.

Conclusions

I have not seen any other real dissections or analysis of Firing Range and it is early to give broad conclusions, but there is a lot to like about this test bed, but also some things that could use improvement. I spoke with a buddy [Need to ask him if I can use his name here.] that works on an open source web scanner and he too agreed that the unrealistic tests are a problem and is frustrating, but like myself is glad to have another test app available.

I plan to reach out to Mr. Criscione next week to discuss and get one of my developers to see if we can help contribute some code that will improve the tests to be more realistic.

Let us know your thoughts!

More on Google’s Test App, Firing Range

]]>http://www.manvswebapp.com/taking-aim-at-googles-firing-range/feed02917Low-Tech Ways of Detecting High-Tech Surveillance by Dr. Philip Polstra (2014 DEF CON Summary)http://www.manvswebapp.com/low-tech-ways-of-detecting-high-tech-surveillance
http://www.manvswebapp.com/low-tech-ways-of-detecting-high-tech-surveillance#respondFri, 21 Nov 2014 20:16:18 +0000http://www.manvswebapp.com/?p=2906[...]]]>I must confess to whomever it is relevant to do so (only God probably and He is likely bored with confessions by now) that I attended this talk because it sounded interesting and it was in the Penn and Teller room at DEF CON 22 which has comfortable seats, rather than direct value for work. It did not disappoint on either count. As to the latter point, I cite the usual “stimulation of security/paranoid-minded thinking is always good for work” excuse. The speaker, Dr. Phil aka Dr. Philip Polstra (https://twitter.com/ppolstra), detailed techniques for detecting if you are being surveilled via video, tailing, bugging, and/or devices embedded in your computer/smartphone. He talked for a bit on how it is well known how the government is trampling all over the Constitution and civil liberties and about others who might have an agenda prompting them to stalk you. I readily echo these sentiments. There are many ways I am sadder and wiser with regard to such things as litigation and the courts, the true function of the police, and so forth… in contrast to the idealized view of these things proferred by Leave-It-to-Beaveresque propaganda.

First he talked about video surveillance. Simply, did someone manage to sneak a camera into your bedroom, office, bathroom, whatever. His detection technique relies on the fact that most of these cameras have infrared LED arrays to illuminate the scene in front of the camera with IR. I have some of these cameras and can confirm that they have these LED arrays, they are bloody bright when reflected back into the camera through a window, and do not seem to do much for the camera’s low light efficacy yet they are on most cameras. As pointed out by the speaker, they are easily detected with a digital camera. I have known of this for some time and I use my digital camera to test remotes that do not seem to be working but it never occurred to me to sweep the camera around in a dark room looking for cameras. Good tip for the paranoid. There are also purpose-built IR detectors that can be used. An interesting one he mentioned is detecting wireless cameras with an Android tablet or smartphone. Good idea. I don’t know the specifics of the FCC mandates regarding all these GHz communication devices but just by reading the boxes, the frequency band is pretty narrow, so a signal strength detection device in that band will pick up on about anything using those frequencies. As with the other devices he talks about, he starts out recommending cheap you-probably-already-have-it detection devices and then notes the more expensive options like, in this case, RF power detectors and bandpass filters.

Then he moved on to physical surveillance. Specifically, tailing and stakeout. Mostly common sense stuff here, but to be specific, non-government tailers use bland colored Toyotas, Hondas, or SUV’s and government people use issued fleet-type vehicles like black SUV or Crown Victoria. That latter one is rather interesting. Most non-government Crown Vic drivers are old white guys and you really don’t see too many non-taxi, non-police Crown Vics driving around, thereby making that a rather conspicuous tail car. But I think that is changing. I am somewhat into this stuff and have watched youtube reviews of cars that various police agencies are considering to replace their aging Crown Vic fleets. Anyway, back to the talk, tailers generally follow 2 car links to a block behind (never directly behind) or 0.5 to 10.0 miles if they managed to sneak a bumper transponder onto the target’s car. They abort if the tailed subject shows 3 suspicious impressions that they are being followed (i.e. race through a light, circle round the block, keep checking mirror, etc). Multi-car tails as you would expect have the luxury of more subtlety as they can coordinate their efforts. Some countermeasures have already been mentioned but one can also flip around on the AM dial to search for bumper beepers. They typically broadcast an easily recognizable sine wave at a particular frequency that will be loud and clear if the thing is in/on your car. More exotic RF detectors of course can also be used. Other combating techniques include dragging traffic lights, drive through residential neighborhoods, park a few times, take alleys and side streets. In general, force the tailer to be obvious.

Stakeouts might use the same inconspicuous vehicles used for tailing and in addition: vans, SUVs, pickups with toppers. Look for a van that says “Flowers By Irene” on it, ho ho he he ha ha. That’s me, not the speaker, saying that by the way. I think I saw that in The Simpsons. Seriously, you can look for construction/utility workers who don’t seem to be doing anything for a long time. The speaker did not mention how to distinguish these guys from teamsters. Look for commercial vans parked for extended periods. Countermeasures include spying back… let them see you checking them out with binoculars. Run outside and jump in your car then run back inside and see what they do. Drive around the block and see if anyone follows you.

Active bug detection was the next subject. Similar to above, he recommends devices in escalating order of expense. AM/FM radio might detect some bugs. USB TV Tuner SDR (Software Defined Radio) can pick up on 50MHz to 2GHz. Commercial bug detectors go 10MHz to 8GHz. And finally, you can blow $500 on a commercial bug detector. Passive bugs must be stimulated with RF in the correct, or possibly close-enough, band. Stimulate the bug then scan for it like scanning for an active bug. As usual, there are cheap ways to stimulate a passive bug, like blast it with 2.4GHz or a noisy broadband transmitter (white noise I assume is best) connected to a TV antenna.

Bugs in your computing devices was probably the most disturbing subject to a paranoid like myself. These are bugs that can be installed in computing devices by government, intercepting shipments, service people, etc. They betray their presence by current consumption. Of course charging your tablet/laptop might trickle some current anyway but if you wave your hand in front of the camera and can reliably generate current variations, there is probably a bug in the device. You can also simply look for stuff plugged into USB ports etc. I have seen some cards/motherboards with USB slots on the board, i.e. inside the case when the case is closed. There are also passive bugs, like the “expensive NSA bugs.” Similar to above, you need to activate them then employ the detection techniques. Straying off the talk for a moment, my friend mentioned he read an article that says the NSA has some exotic equipment where they can discern from something like up to 100 meters away what is on your computer, i.e. what you are viewing at any given moment. It takes a while to set up the equipment so they are not going about using this whimsically but it is still pretty unsettling. If you see a “Nick’s Solar and Air Conditioning” van in your neighborhood, turn your computers off or pop up a browser to the USA Today homepage until they go away.

This was one of those cool “make you think” talks. In addition to what I cited in the opening paragraph, I like these sorts of talks as they shake me out of my “Nerd tunnel vision.” Meaning, if I don’t shake myself with one of these every now and then, I tend to fall into this circular trap of thinking about computer security as a means to computer security… i.e. to forget about the physical world where secure thinking in that world keeps one sharp in cyberspace and reaffirming the connections between the two worlds sustains a bigger picture view that enhances my security posture.

Peck began with a general discussion of phishing and its relative importance in the web app security space today. He pointed out that while phishing is old news, and isn’t the latest and greatest threat to hit the headlines, it is still out there and still causes damage. He put up some stats that show that phishing is alive and well (especially targeting Indian firms, apparently), but only constitutes about 1% of the overall amount of cybercrime. And while the overall amount may have grown with time, there is a question of “diminishing returns” based on the amount of effort required to combat an issue of comparatively lesser impact.

It is unsurprising then that phishing detection remains largely unchanged since 2006: built on anti-spam technology (not all spam is phishing), sender blacklists, and site reputation. But changes in the environment have made these older techniques less and less effective. For example, user mobility makes perimeter defenses impossible (e.g. IPS). Also, with the large turnover in domain names and the ease of setting up new ones based on the new top-level domains, blacklists and reputation are hard to keep up to date. And the new vector of social media is almost impossible to police.

To move forward with newer defenses, it is important to understand what makes phishing effective: the human factor. In Peck’s terms: humans are gullible, greedy, careless, and uninformed. To counter this problem, we should try to get the computer to see things the way we humans see things. One way to do this involves the use of perceptual hashing.

Perceptual hashing involves making a hash or “fingerprint” of images. Peck briefly overviewed three hashes: the average hash, the discrete cosine transform hash (uses methods similar to lossy compression to focus on salient detail), and the difference hash (very fast). Comparison of hashes of two images (made with the same algorithm) uses the Hamming distance, which is the count of bits that differ between two hashes.

Phishing detection can utilize these hashes. A library of perceptual hashes of web pages is compiled with associated known good originators. Pages can also be broken down into discrete images that can can be similarly hashed and cataloged. Then, when web pages or emails are encountered, those are hashed in the same way. If the hashes match or come close to those in the database, but the sender is different, a likely phishing attempt is flagged. Although I don’t think Peck described it as such, this is effectively a whitelist approach, making it much more maintainable than a list of constantly changing phishing sites.

I wonder how perceptual hashing could be used by NTOSpider, NTOBJECTives’ web application vulnerability scanner. Perhaps current malware detection could be added as feature. Of course, this would require either NTO maintaining its own list of hashes, or use of another database.

]]>http://www.manvswebapp.com/improved-phishing-detection-using-perceptual-hashing/feed02897Mobile Security Attacks – A Glimpse from the Trenches (OWASP AppSec USA 2014 Preso Review)http://www.manvswebapp.com/mobile-security-attacks-a-glimpse-from-the-trenches
http://www.manvswebapp.com/mobile-security-attacks-a-glimpse-from-the-trenches#respondThu, 30 Oct 2014 16:55:57 +0000http://www.manvswebapp.com/?p=2846[...]]]>At the recent OWASP AppSecUSA in Denver, Yair Amit and Adi Sharabani of Skycure presented a very informative overview of mobile security issues. There was a great deal of good material in this presentation, packed into a short period of time.

The presenters divided the attacks into four overlapping areas:

Physical Security

Network

Application Security & Privacy

Malware

Physical Layer

The problem here is obvious: the device is lost or stolen, or temporarily accessed by a non-authorized user. In these cases, the responsibility has fallen on the OS for protection. With stolen devices in particular, the opportunities for controlling loss are greatly reduced, as the thief will intentionally disable internet access, which is required for many of those protective mechanisms to work.

Network Attacks

The presenters estimate that 10% of “scanned networks” (presumably wifi) pose some sort of threat, and that the likelihood of encountering such a network is 40% over a period of four months, with that number increasing with time. They have even put together a real-time mapping of network threats: https://maps.skycure.com/ (Just for fun, I recently entered Los Angeles into the app, and it identified a half dozen clustered in east LA, and one in South Central. Central LA seemed clear, but there were some other threats in Beverly Hills and Westwood. Your mileage may vary.) For more information: https://www.skycure.com/blog/mapping-global-security-threat-landscape/

Network Security Implementation Issues

Two network layer implementation issues affecting mobile devices were reviewed: the gotofail bug in iOS, and Heartbleed in Android. The presenters briefly contrasted the updating mechanisms for the two platforms. The good news for iOS is that gotofail could be easily fixed and updated on affected devices, as iOS is a single platform that is updated by the vast majority of users in short order. The less good news for Android is that updating is more difficult due to platform fragmentation. Since Heartbleed is really more of a server concern and is hard to exploit on a device, the lack of updatability was not too troubling in this case.

Network Security General Design Issues

This portion of the presentation focused on design issues of the more general “protocol” varieties (i.e. not mobile device specific).

sslstrip

The first design flaw examined was the five year old sslstrip vulnerability. The solution, HSTS, is only present on newer browsers. Older devices have older browsers (presumably especially on harder-to-update Android) that do not support HSTS. In terms of how to address the problem, the difference between this design issue and the implementation bugs above is (presumably) that a server modification is necessary in addition to the device update.

“SSL Decryption”

“SSL decryption” was the second general design issue discussed. By this, the presenters are referring to a man-in-the-middle SSL certificate attack. While this is a general issue and not mobile-specific, the presenters nevertheless focused on the dialog that pops up on iOS devices when there are SSL certificate problems. This dialog allows the user to either cancel or continue with the connection. Of course, “continue” is the wrong choice as it may indicate a man-in-the-middle attack, but they have found that 92% of users choose to continue.

They also suspect that the percentage rises with repetition of the dialog, due to the annoyance (if “cancel” means I keep getting the dialog, then…). If a user clicks “continue” not when loading a web page, but due to a problem communicating with an Exchange server, then credentials are compromised. This can lead to even further compromise, e.g. other accounts by resetting passwords, changing contacts with new phone numbers, etc.

My Ten Agorot (or two cents, hey, the presenters are Israeli…)

The presenters did not describe how this SSL certificate problem is handled on Android, which would have been interesting to hear. Neither did the presenters explore possible solutions to this problem, such as future versions of mobile OS that might have a setting to automatically always disallow certificate mismatches.

Karma

The third general design vulnerability is the Karma wifi auto-connect attack.

My Two Cents

This warranted only a brief mention with practically no discussion at all. Probably the omission was due to time, as there has been a lot of content disseminated on this already, and more recent mobile OS versions have been updated to prevent the attack from working. For more information, see it in action using our favorite hacking device, the WiFi Pinapple (https://scotthelme.co.uk/wifi-pineapple-karma-sslstrip/)

Network Security Mobile Design Issues

iOS Configuration Profiles

The combination of having one app store with a lot of screening and the sandbox model do make iOS a relatively secure platform. However, there is a rather significant attack vector available for iOS: “configuration profiles.” These are XML files that allow IT departments to configure iOS devices for specific network purposes. They are very powerful, affecting the entire device, and they bypass all of the aforementioned security mechanisms, making them attractive not only for legitimate use, but also for attackers. They can do some potentially very nasty things, such as redirect traffic and install root certificates! And all it takes is a tap by the user. A web site can be crafted to make such an attack look entirely legitimate, when in fact a Trojan is what is being offered. The presenters put together an example configuration profile attack that worked as a key logger as well as a device keyboard controller. It looks like complete control of the device may be possible including launching and controlling apps!

These attacks do exist in the wild, and they are aware of cases where even legitimate configuration profiles were somehow hijacked by malicious actors. Further, some of the attacks are then spread virally, by sending messages through email and social networking to the victim’s contacts to entice them to also install the malicious configuration profile. For more information: https://www.skycure.com/blog/malicious-profiles-from-theory-into-reality/

My Two Cents

This part of the presentation held particular interest for me. When I was at DEFCON earlier this year, I noticed that the conference wifi was provided for iOS devices by means of a configuration profile. Even though I knew nothing about them at the time, it struck me as a risky proposition to install something like this. I demurred, and while I’m sure it was safe enough, I ultimately decided to stick to the cellular network as a (probably) safer option. It was gratifying to see my concerns about configuration profiles validated.

WiFiGate

Going back to the Karma attack, mobile device carriers may install pre-defined wifi settings that will result in a device automatically connecting to certain wifi networks, right out of the box. These settings are not user-modifiable, and the devices are vulnerable to a Karma-like attack without the user having to take affirmative steps to connect to anything at all. For more information: https://www.skycure.com/blog/wifigate-how-mobile-carriers-expose-us-to-wi-fi-attacks/

Application Security

As a software engineer in the field of web application scanning, my greatest interest is most clearly in this category, which they characterize as an “emerging threat.”

My Two Cents

Whether they mean mobile web applications or installed mobile applications, this threat has clearly already emerged. Web applications generally have been a primary point of attack since the early 2000’s. Now, installable mobile applications are rapidly being released. What’s worse about these new applications is that they utilize newer technologies, and neither the developer nor security teams have the same experience testing them, nor the tools to do so. So, the risk associated with mobile applications is of great concern. Gartner predicts that through 2015, more than 75% of mobile applications will fail basic security tests. (Gartner Application Security Magic Quadrant, 2014)

Most global enterprises and large organizations have well-established application security programs to detect and resolve application security issues. While we are used to thinking of this as primarily a browser presentation issue, the mobile dimension will increase over time. Some of the “old” vulnerabilities (such as SQL injection) can show up in the web service back-ends for mobile applications. For more on current application security threats and trends, visit www.ntobjectives.com.

Plain HTTP

Non-encrypted traffic is still a used by some mobile applications (amazingly). No further elaboration is necessary.

Certificate Pinning

Mobile applications can and should be pinned to a specific certificate to work, but according to the presenters, few apps do this, even major ones. This is an astounding security hole, but the poor rate of use is due to pinning being difficult to implement correctly. Specifically, if a certificate must change, due to expiration or compromise, some mechanism must be provided to update the client app.

HTTP Request Hijacking

In an untrusted environment, a man-in-the-middle issues a persistent redirect (301) to a malicious server. This has a permanent effect even when back on a safe network, with the app still contacting the malicious server pointed to by the redirect. This is a cleverly sneaky attack that I will enjoy testing on several apps.

Malware

Malicious apps have been more of a problem with Android than with iOS. The “year of Android malware” was 2011, countered by “Bouncer” a year later. Then malware went to other external stores, followed by a focus on “verified apps,” moving Android closer to the iOS security model. Thus malicious applications now are becoming sneakier. The best example given was asking for all keystrokes in exchange for better services! This is possible on Android and iOS 8 with installable keyboards.

NTOBJECTives Relevance

Almost everything in this presentation focused on the client side of the mobile security equation. This is a natural and typical focus for mobile security. But the traffic between a mobile application and a server can be just as vulnerable, and more damaging if breached, to the server side of the equation than to the device side. NTOSpider can be used to scan such sites and web services for vulnerabilities. For example, one of the issues in this presentation touches on server side behavior beyond simply the general use of SSL/TLS: the use of HSTS for preventing the sslstrip attack. NTOSpider detects this header and reports on the lack of its use in conjunction with HTTPS.

For more information on mobile applications and web application scanning see the following content at www.ntobjectives.com:

]]>http://www.manvswebapp.com/mobile-security-attacks-a-glimpse-from-the-trenches/feed028462014 HOFFL Mid-season Updatehttp://www.manvswebapp.com/2014-hoffl-mid-season-update
http://www.manvswebapp.com/2014-hoffl-mid-season-update#respondWed, 15 Oct 2014 07:18:35 +0000http://www.manvswebapp.com/?p=2820[...]]]>We are about mid-season into this years Hackers Only Fantasy Football League (HOFFL) and its time to give everyone an update. Unlike last year when I did terrible and ended the season in 11th place (out of 12), I have been kicking butt and in 1st place for the last 3 weeks. Lets run through the standings

1st place (5-1): Your not-so-humble leaders is the one and only Dan Kuykendall (@dan_kuykendall) from NT OBJECTives. I started with a draft day ranking of #8, but have made several waiver moves that have paid off well and my hard work has me riding a 5 week winning streak.

2nd place (5-1): No surprise here, that last years winner Billy Austin (@billyaustintx) from iScanOnline is following insanely close at 2nd place with the same 5-1 record and 0.86 less points earned (I am at 691.14 and he is 690.28!).

3rd place (5-1): Alan Shimel (@ashimmy) from The CISO Group, who has been riding the Andrew Luck freight train is doing well and could easily win against any team in the league.

4th place (5-1): In 4th place we have my co-panelist at this weeks Hou.Sec.Con, Mr. Matt Johansen (@mattjay) from WhiteHat Security who has luckily scraped by some super close wins (one by 0.18 points). However, a win is a win, and hes marching trying to win the league.

We then have several 3-3 teams

5th place (3-3): NTO‘s own Dmitriy Kashitsyn (@dmk1492) who ignored my advice in week 5 and as a result secured a win against the Denim Group duo.

6th place (3-3): Kenny Herold (@glumdragonfly) has an incredibly consistent win-loss-win-loss-win-loss-win-loss record

7th place (3-3): My buddy David French (@frenchdc) from Risk I/O who drafted very well, only to have all his top picks become total flops this season.

8th place (3-3): Newcomer Kenneth Pfeil’s team cant stay consistent. Some weeks hes one of the top teams, and the next hes terrible. Ahhh the joys of fantasy football!

9th place (2-4): Proving that 2 heads are not better than 1! Lee Carsten (@lcarsten) and Patrick (@patrick_adam) from the Denim group seem to have some of the worst luck that resulted in some painful losses.

10th place (2-4): Joe Sanders (@joesanders02) better pick up the pace of wins or his hopes of sneaking into the playoffs

Finally the winless teams!.

11th place (0-6): Finally pulling out of last place is Ms. Erin (@SecBarbie) from UrbaneSec. SecBarbie has had awful misfortunes from the draft to each weeks match-up. I hope she wins this week as she faces Alan Shimel’s team.

12th place (0-6): I am not sure what to say here. My buddy Michael Farnum from HP (@m1a1vet) is doing everything wrong. Hes gotta step up his game, and when I see him tomorrow I plan to remind him of that early and often!

Well, there you have it folks! I hope your enjoying your own fantasy football leagues as much as we are!

]]>http://www.manvswebapp.com/2014-hoffl-mid-season-update/feed02820Shellshock Bash Bug – 8 Important Lessonshttp://www.manvswebapp.com/8-important-lessons-we-can-learn-from-the-shellshock-bash-bug
http://www.manvswebapp.com/8-important-lessons-we-can-learn-from-the-shellshock-bash-bug#respondFri, 03 Oct 2014 22:16:45 +0000http://www.manvswebapp.com/?p=2785[...]]]>While Shellshock has been all over Twitter and talked about on prominent news outlets, I’m still shocked that there is comparatively less press coverage than there was for Heartbleed which was a bonafide “big story.” This is unfortunate because in some ways the Shellshock exploit is more devastating, but there are actually some good reasons for the lesser coverage, and all of them are things we should learn from.

1. Name Game ConfusionSome call it Shellshock, or the Shellshock Bug, some call it the “BASH Bug” and sadly, some in the press call it the “Bug known as BASH” (see video [https://www.youtube.com/watch?v=hxsb8Hzb5FQ]). Heartbleed was a cool name, and even had a cool logo that was able to capture the imagination very quickly. Maybe we need to make sure we pick cool names and create cool logos before we alert the media of a major new vulnerability.

2. Explanation of the ThreatWhen dealing with Heartbleed it was easy to explain that the exploit allowed an attacker to extract unencrypted information. With Shellshock, I have seen people trying to explain the exploit in terms that are meaningless to normal people.

3. The Boy Who Cried WolfWe (the security community) made such fuss about Heartbleed and we basically told the world that the internet was on fire. The problem was that most of the internet was patched within a week or two and life went on as normal. The fire was well contained by the awareness campaign which is a good thing. But we had gone a little overboard and wasted our goodwill with the press.

4. Overstatement of the ThreatLet me start by saying, that when exploited, Shellshock is bad bad news. A Shellshock exploit is worse than a Heartbleed exploit because it’s not only allowing data to be leaked, but also allows remote control of a server and could allow an attacker to make a trusted site become evil.

I see statements out there saying that 70% or even 90% of internet connected systems are vulnerable to Shellshock and that it is much worse than Heartbleed. While there may be some truth to that, and a high percentage of internet servers are indeed “vulnerable” we need to break that down a little because a very small percentage are exploitable.

5. Vulnerable Does Not Mean ExploitableA server might have this BASH bug which can be tested on the system with a simple test command. However, to exploit this, you need to have a service open that calls BASH. The problem is that most service ports are blocked by firewalls. In most cases, there are only a few ports open to the internet that could be vulnerable, such as DNS, DHCP, SMTP/IMAP/POP3 and HTTP/HTTPS. I have seen some exploitable examples of DNS and DHCP services that shell out to BASH scripts to handle IP assignments based on user, as well as some SMTP that shell out to SPAM filtering tools. I’m sure there are many more, but these are examples and they are limited. Jose Pagliery from CNN Money explains it quite well – the world isn’t on fire, but there is a serious problem in this video.

6. What About Web Servers?Of course this is one of the big questions because web servers are much more widely exposed to the ShellshockBASH bug. In many cases, the only ports a server will expose to the internet are 80/443 which are the HTTP/HTTPS ports. There are situations where a web server has CGI support enabled, even though it has not been the default configuration for quite some time. But if it is, then it is possible that it might have a CGI script that executes BASH. This could happen, but it’s fairly rare these days because most CGI scripts I see are written in languages such as PERL and are not exploitable with ShellShock. So, if all the moons have aligned so far and there is a BASH CGI script in use, the admins can disable the script or patch the system to remove the vulnerability.

So lets go back to the claims that 70-90% of the internet connected servers are “vulnerable”. From that we subtract the ones that have no ports open to the internet. We then remove the ones that only expose services that are not exploitable because they don’t shell out for any reason. In the end, I think we end up with a much smaller percentage, lets say 5%-10% of the servers on the internet that are vulnerable to the Bash Bug are actually exploitable.

7. Remains A Very Serious Security IssueEven if only 5% of the servers on the internet are exploitable that still constitutes a very serious problem. It may not get as many headlines as saying 70-90% are vulnerable, but it is more accurate and helps to maintain our credibility to the wider public.

Keep in mind, that 5% of the servers on the internet being exploitable is still a VERY LARGE number of servers, and from those exploitable systems, an attacker could then attack other servers and services not exposed directly to the internet.

8. Shellshock’s Lasting ImpactI want to state once again that I strongly feel like this BASH bug is very serious, which is why I have been disappointed by the coverage about it. I also think it will be with us for a long time, because unlike the big servers powering the internet, which will get patched, many appliance type devices will never get patched such as common home WiFi & router devices, and IP enabled devices that fall into the “Internet of Things” category.

We did a great job during Heartbleed, and I believe the publicity actually helped mitigate the threat because every IT person was made aware and systems were patched quickly. It also served as something like a shark alert at the beach and many people stayed away for a few days while “the internet got fixed.”

Shellshock has not been handled as well, and I think systems that could easily be patched won’t, because we failed in the awareness campaign. I have run into many people and friends in the IT space that had not heard about it as recently as last night!

I hope we do better next time.

]]>http://www.manvswebapp.com/8-important-lessons-we-can-learn-from-the-shellshock-bash-bug/feed02785The Bash Bug, In a Nut-Shellshockhttp://www.manvswebapp.com/bash-bug-nut-shellshock
http://www.manvswebapp.com/bash-bug-nut-shellshock#respondFri, 26 Sep 2014 20:35:48 +0000http://www.manvswebapp.com/?p=2773[...]]]>As you probably know by now, a bug, named Shellshock or “The Bash Bug” has been discovered in a version of Bash, which is a command shell tool. The bug leaves millions of websites and computers open to attack. The bug can be executed in just a few lines of code and enables Hackers to use the command shell remotely to execute malicious injections without admin privileges into vulnerable sites, possibly bringing them down or worse.

Some say the damage potential for this bug is so massive, it’s being compared to Heartbleed – and, it may even be more pervasive than Heartbleed. But, others say that its been around for a long time and the damage will be minimal. Security insiders are tweeting all sorts of sarcastic comments and jokes about the bug while some publications warn of gloom and doom. While the damage will remain to be seen, it’s fairly safe to say that this bug is keeping security professionals and developers busy.

Technically, no one is safe from Shellshock, it exposes everyone from home users to global corporations. Both Rapid7 and NIST vulnerability database score this vuln a 10 out of 10 and unfortunately its pretty easy to execute. Experts are urging IT professionals to patch their version of Bash ASAP, but keep in mind that there isn’t one solution. IT security experts and developers will need to issue patches for their individual solutions (ex. Apple, RedHat, etc.). For example:

Linux vendor RedHat has issued ModSecuritiy rules that block the Bash bug, but warns that the patch is not complete.

Security researchers are worried about the bu’s potential impact on Apple Mac computers, which uses the Bash software which the bug exploits directly in the form of its command-line program Terminal. Fortunately, patches are available, but Apple users will need to get their hands dirty until a fix is issued.

Shellshock is a mistake in the code of Bash, which is typically installed on non-Windows operating systems such as Mac, Unix and Linux. The bug enables hackers to send commands to a computer remotely and without having admin privileges. The recent vulnerability was discovered by Akamai security researcher, Stephane Chazelas. This Akamai advisory also explains the problem and this OSS-Sec mailing list post has a good explanation as well..

IT security professionals can find code to exploit the Bash bug using CGI scripts to execute code with the same privileges as the web server. The bug can be triggered on a vulnerable system with a simple Wget fetch.

To check if you’re systems are vulnerable, execute the following lines of code in your default shell, which will often be Bash.

You’ll know you are at risk if you see the word, “busted.” If you don’t see the word “busted,” then your version of Bash is fixed or your shell is using a different interpreter.

Users at home should avoid using credit cards or disclosing personal information on-line for the next few days. In addition, its a good idea to update anti-virus software and avoid sketchy websites.

In Jim Reavis’ Cloud Security Alliance blog post, he explains that many large programs on Linux and other UNIX systems use Bash to define environmental variables which are then used while executing other programs.

For more helpful information on the Shellshock bug, check out the following:

The 2nd annual Hackers Only Fantasy Football League is back! The HO-FFL is a great way for us IT security professionals to enjoy some time together outside of the workplace. This season we have some of the leading web application security companies represented, along with AppSec consultants and users of the products.

Prior to our inaugural season last year, I discovered a bug in the Yahoo! Fantasy Football mobile app, where session tokens that would never expire and allow man in the middle attacks to hijack them – to be used to their advantage against their rivals. The bug has since been fixed by Yahoo!.

This season is fired up and ready to start. The teams were drafted on Friday and now we eagerly await the start of the season tomorrow. We have an amazing collection of bright minds in the InfoSec industry that will battle head to head this season for the inaugural trophy.

Along with myself, we have several returning players

Billy’s Team – Billy Austin from iScan Online’s returns as our defending champion. He just so happened to draft the highest scoring player from 2013, Peyton Manning. Billy happens to be my first opponent. I’m hoping that Peyton doesn’t repeat his Week 1 performance from last year when he threw for 7 touchdowns against Baltimore.

Tomball Cowboys – Michael Farnum from competitor HP and founder of my favorite local conference, HouSecCon. Farnum’s draft grade was the worst, and asks’ did “Tomball Cowboys Throw the Draft on Purpose?”

Megatron – David French of Risk I/O who decided to chase Farnum down toward the bottom with his grade stating that “Megatron Obviously Hates Winning”.

Boca Steelers – Alan Shimel currently of The CISO Group and formerly of StillSecure. And before that Alan was hanging with Al Gore helping to create the Internet….and before that he was with Edison harnessing electricity.

Orange County Bears – Dmitriy Kashitsyn the Director of Engineering at NT OBJECTives. Dmitriy made me worry during the draft when he asked “What does QB mean?”. Hopefully he busts out his ‘Football for Dummies’ book quick!

We will have a few opportunities to get together and share drinks and catch up (or smack talk) at events such as OWASP AppSec USA (9/17-9/19), HouSecCon (10/16) and RSA 2014 (2/24/2015-2/28/2015). These are great chances to see familiar faces and build upon new relationships built over the bond of Fantasy Football!

]]>http://www.manvswebapp.com/are-you-ready-for-some-fantasy-football/feed12735Why the Bitcoin Intrinsic Value Complaint is Irrelevanthttp://www.manvswebapp.com/bitcoin-intrinsic-value-complaint-irrelevant
http://www.manvswebapp.com/bitcoin-intrinsic-value-complaint-irrelevant#respondTue, 04 Mar 2014 18:58:22 +0000http://www.manvswebapp.com/?p=2642[...]]]>In the aftermath of the Mt. Gox meltdown and subsequent bankruptcy filing, I have been reading a lot of commentary on Bitcoin. Even Paul Krugman has weighed in (against Bitcoin). Much of the criticism of Bitcoin centers around the idea that it has no ‘Intrinsic Value.’ While I have no particular opinion on whether or not Bitcoin is over or undervalued or whether it has long term viability, the Intrinsic Value criticisms are unfounded and based on a misunderstanding of Intrinsic Value, value and currency mechanisms.

A quick review of economic and financial principles will reveal that Bitcoin could have Intrinsic Value and be sustainable despite the fact that it is not backed by gold or a government’s power to tax.

What is Intrinsic Value?

Intrinsic Value is a concept in finance that attempts to value an asset (usually a financial asset like a stock or bond) based on a mathematical analysis of the (usually cash) value derived from that asset over time. Usually, discounted cash flows are used. So, for example, if a company is expected to pay dividends of $1 per year forever and an investor applies a discount rate of 10% to those dividends, the stock will be worth $10 per share ($1/.1).

This approach can be applied to assets that do not throw off streams of cash. For example, if I own a right to have dinner for two at a restaurant once a year and I value that at $100 with a discount rate of 10%, that right is worth $1,000 ($100/.1).

It should be pointed out that many assets with Intrinsic Value are not entirely backed by another asset (like gold) and the vast majority are not backed by a government’s right to use force to collect taxes.

As we will see in a bit, using the standard definition of Intrinsic Value, Bitcoin may very well have Intrinsic Value even though it is not backed by something with established value (e.g. gold) or a government’s right of taxation. All that is necessary to use Intrinsic Value analysis is for the asset in question to have tangible benefits that accrue to the owner over time.

Are All Values Intrinsic?

Most items with monetary value do not have Intrinsic Value. In other words, they do not throw off cash flow or other measurable benefits over time. For an item to have monetary value it needs to have two things and two things only: scarcity and demand. That’s it. Economics is about understanding human behavior, not judgement. If a lot of people want a baseball card and are willing to pay $80,000 for it, it’s worth $80,000. Period, end of story. If people are willing to pay $1,000 for an ounce of gold, that is what it is worth.

It should be pointed out that gold is not valued by Intrinsic Value analysis. It’s good old (scarce) supply and demand, econ 101, day 1. Gold certainly has a more established value based on a long history of it being a store of value but that’s it.

Why Are Currencies Useful?

Switching gears a bit, let’s talk about currencies. There are two potential uses of currencies. They can be used 1) as a store of value and 2) as a medium of exchange. The store of value is obviously needed for it to be a useful medium of exchange over the short term because if you have $3,000 in your checking account that you need to pay the rent, you need to know that it will be worth roughly that when the rent comes due next week.

Having said that, currency values change daily in relation to each other and over longer periods in their own country. If the federal reserve doubles the money supply, it will cause inflation and my rent will go up as the US dollar will be worth less to my landlord (it will buy less).

The point of all of this is that just because Bitcoin’s value has been and will continue to be volatile, that does not mean that it has no use as a medium of exchange.

Taking another step, there are many factors that impact the utility of a currency as a medium of exchange. Let’s look at three of them.

Acceptance. Clearly if no one will accept a currency as payment, it is useless as a medium of exchange. The more entities that accept it, the more useful and valuable it is.

Transaction Costs. The less that it costs the buyer and seller to transact in a currency, the more useful it is. This is a major consideration and US dollar transaction costs can be significant. Credit card companies charge 2.5% or more to process a transaction.

Anonymity. For certain sectors of society, anonymity is highly valuable. Some people simply do not want their transactions traceable. Some of this demand may come from mere paranoia and certainly a significant portion of it relates to criminal activity.

Is Bitcoin Potentially Useful?

The answer, quite clearly, based on 1, 2 and 3 above is yes. While Bitcoin does not have the broad acceptance of the US Dollar at present and it is tricky to buy Bitcoin with PayPal, broad acceptance is not a requirement for it to have value. All that is required is for a meaningful subset of users to see value in using the currency for them to use it. Clearly transaction costs are lower and Bitcoin’s anonymity is very attractive.

Could Bitcoin Have Intrinsic Value?

The answer, according to finance theory, is a clear yes. Let’s recall that Intrinsic Value has nothing to do with something being backed by gold or the power of taxation. Again, all that is necessary to use Intrinsic Value analysis is for the asset in question to have tangible benefits that accrue to the owner over time.

Just looking at the transaction costs, we can measure the value of Bitcoin as the sum of the net present value of money saved over time by using it as compared to currencies with higher associated transaction costs. To create a simplistic example, let’s say that I keep a $3,000 worth of Bitcoins to use for a certain number of transactions per year. Think of it like a checking account. Let’s say that I do $15,000 worth of transactions a year and save 2%, on average, on each transaction for a total of $300 per year. Assuming a discount rate of 10%, the Bitcoins are worth $3,000 to me ($300/.1). It is actually quite possible to save 2% per year or more and $15,000 of annual transactions on a $3,000 account is very do-able as well.

The fact that the Bitcoins are not backed by gold or the power to tax is no more relevant to me than the fact that I have my retirement savings invested in General Electric Stock (which is neither backed by gold nor the power to tax). The Bitcoins have $3,000 worth of value (Intrinsic Value) because they deliver $300 per year of tangible benefits to me as an owner. If had a magic wand or totem that saved me $300 per year on transaction costs, that would be worth $3,000 to me as well using the same analysis.

The benefits for criminal activity are even greater as money launderers charge substantially more than 2% (at least according to my favorite television shows). And the IMF estimates that 2-5% of global economic activity involves money laundering ($1.4 – $3.5 trillion per year). Bitcoin is not a complete solution for criminals as it does not yield a stable asset post-transaction but criminals may be willing to take some Bitcoin volatility risk for a portion of their portfolios in order to save on transaction costs.

Now I may have some value risk or piracy risk on my Bitcoins but that is something that I may be willing to take to save money on transaction costs and/or to achieve anonymity.

Conclusion

I’ve never used Bitcoin and have no plans to do so. Having said that, as a business owner, I am well aware that transaction costs are material and a new transaction mechanism (that may or may not include a new currency) could have value and gain adoption. Bitcoin, or other digital currency like it, could certainly be that mechanism. Whether it will succeed or not, I have no idea. But focusing on a misunderstanding of both Intrinsic Value and why currencies are useful will certainly not shed any light on the subject.

]]>http://www.manvswebapp.com/bitcoin-intrinsic-value-complaint-irrelevant/feed02642An Information Security Place Podcast – 01-22-14http://www.manvswebapp.com/information-security-place-podcast-01-22-14
http://www.manvswebapp.com/information-security-place-podcast-01-22-14#respondThu, 23 Jan 2014 03:37:40 +0000http://www.manvswebapp.com/?p=2629[...]]]>Jim, Dan, and Michael have a lot of catching up to do. We talk about a lot of stuff because a lot of stuff has been happening. From RSA, NSA, QSAs… security is busy! Show notes below!

]]>http://www.manvswebapp.com/information-security-place-podcast-01-22-14/feed0Jim, Dan, and Michael have a lot of catching up to do. We talk about a lot of stuff because a lot of stuff has been [...]
Show Notes:
Infosec News Update

* 123456 is the new best of the worst – Link
* RSA Conf and those skipping it this year – Link
* Fixing a flawed VA medical records system: Tenacity pays off for a researcher – Link
* Do you believe the Obamacare website is secure? These guys don’t – Link1, Link2, Link3

The season is over! It was fun to play with all that participated and I got to have some fun conversations about football & the week by week activity that took place. I am looking forward to our meetup at RSA. I am planning out a time & location and will have those details soon.

Yes, you read that right… I ended up in 11th place. Ouch. In every other league I played in this year, I did pretty well, except this one. In this one, I stunk. Plain and simple…. just terrible. My one redemption was that I did have a chance to beat a couple buddies, David (twice), Brandon and Lee & Patrick. Downside was losing to Michael during the weekend after HouSecCon when I did my trash talking to him in person :/

Billy Austin just cleaned up. He had the most highest scoring weeks (5) and a couple second highest scoring weeks, which earned him $60, plus as league champ he earned another $60 for a $120 total plus all bragging rights.

I almost pulled Max’s team from him, because he left the team on auto-pilot and left bye-week players in his starting lineup a couple times. However, on week 8 with his QB on bye week, he still managed to get a win over Gus! Then on week 9 he left 2 bye week WR’s and a kicker on his starting lineup and still beat Drew!! He then got his 3rd and final win over ME in week 10 with no RB’s and no TE!!! (they were on bye or IR). Next season I will have a rule for this.

There was a big screw-up on my part that really limited the season for most of the teams. I did not setup the playoff schedule properly, so there was no consolation bracket, and so the top 8 teams entered playoff and seasons ended for everyone else. That was unintended and will be corrected for next season.

All in all, it was a fun experience and I look forward to next season. In the meantime I will be cheering on the 49ers as they make their way back to the Superbowl!!!

]]>http://www.manvswebapp.com/ho-ffl-2013-wrap/feed12620An Open Letter to Barack Obama: If You aren’t Sure of Health Exchange Security, Shut it Down Nowhttp://www.manvswebapp.com/open-letter-barack-obama-arent-sure-health-exchange-security-shut-now
http://www.manvswebapp.com/open-letter-barack-obama-arent-sure-health-exchange-security-shut-now#respondFri, 25 Oct 2013 14:37:47 +0000http://www.manvswebapp.com/?p=2605[...]]]>Stability in Only the First Issue – Security Will Be Healthcare.gov’s Real Achilles HeelThere has been a significant amount of attention to the the problems of the Obamacare website. While these problems are certainly cause for concern, there are an even more serious group of problems that likely exist and need to be addressed. These have to do with the security of the website and the confidential data that it is collecting on millions of Americans. Given the problems with the site that have already been discovered, if concerns about security cannot be addressed, the site should be shut down until they can be. Slow performance is an inconvenience. The dissemination of confidential information on millions of Americans would be a disaster. Given that a casual test of the home page of the site revealed a security flaw, we are gravely concerned about the security of the site as a whole.

We would emphasize that this is not a hypothetical problem; confidential data is stolen every day by hackers who exploit the security flaws discussed below. If the designers of healthcare.gov have not addressed these issues, the site is vulnerable to user data being stolen and it is almost certain that hackers will exploit this. When I lived in Europe, I remember my ehic application warning me of these upcoming threats, here in America it seems it’s no one’s responsabilty… Unless the Administration is certain that the site can securely protect the confidential user data it is collecting, the site should be shut until that it has that degree of confidence.

The Obamacare Website is a Prime Target for HackersIt’s obvious this site is a target for hackers. First and foremost, it is set up to collect and aggregate personal, confidential information on millions of Americans. Second, the US government always has enemies and embarrassing the administration would appeal to a large segment of the hacker community. Given the current NSA scandal, anti-American sentiment in the hacker community might be at its all time high. Finally, many hackers are motivated by augmenting their reputation among other hackers. Hacking healthcare.gov would certainly be a prestigious hack. And we know we are all worried about our healthcare and our health, we always read from pages like Health & Beauty – Top9Rated, so it will be a problem if our regular healthcare got hack.

The Security Flaws in the Site Are Still Largely UnknownHacking requires the ability to make thousands of clicks on a site to test for flaws. A single page may require a thousand tests to ensure that it is secure. Healthcare.gov has such poor stability, this is nearly impossible. Once the stability of the site improves, hackers will test it thoroughly. At this point, the true security profile of the site will be made clear.

Healthcare.gov Likely Has Significant FlawsGiven the multitude of problems with the site, it is clear quality testing was lax. It is generally true that functionality testing (i.e. does the site actually work) is is prioritized over security testing. It is likely that the site’s security is even worse than its functionality. We very lightly and casually poked around the first page of the website and found a significant vulnerability that is easy to discover and prevent. It is highly unlikely that this is the only vulnerability on the site. We would also point out that fixing problems on the fly under intense pressure is not an intelligent way to fix enterprise software. Human beings are responsible for preventing security flaws and these are exactly the kind of conditions that lead to security mistakes.

How Website Vulnerabilities Allow Hackers to Steal Confidential User DataThere are two main classes of vulnerabilities that are most concerning. The first of these are called SQL Injection. Web Applications, by design, connect to databases and the databases, by default, give the applications any data that they request. If the applications are not secure, hackers can inject commands to steal or alter all of the data in the database. These vulnerabilities are relatively easy to find and correct. Of course so was the vulnerability we found on the home page, so there is no guarantee that healthcare.gov is free of SQL Injection.

The second class of vulnerabilities of significant concern covers who gets to see what information. There are different types of users of an application and generally, there is a class of user, called an admin or administrator, who has broad access to data. This is necessary because administrators are often called upon to fix problems with the site. Applications control who gets to see what by a variety of means. It is very possible to fool the site into thinking that a non-admin user is an admin, giving a hacker broad access to user data. It is very difficult, expensive and time consuming to test for this class of vulnerability.

Regulatory ComplianceIt’s interesting that many private organizations are required to adhere to certain regulatory guidelines like PCI, HIPAA and FISMA, but this application seems to escape them. While this application may not fall under HIPAA guidelines, it does store important personal information like social security numbers. If it was subject to HIPAA (according to this blog by Erik Kangas which simplifies the requirements), it would have failed at least two of the requirements. Based on the security vulnerabilities being discovered and reported it would fail #4 which requires integrity of the data. Requirement #6 states that data can be deleted when needed. From the reports and legal notices we are seeing, it appears that there is NO WAY to delete your data once you provide it.

We just used HIPAA as an example. We could find several failed requirements against PCI as well. So, why is it that a government application that stores social security numbers isn’t subject to regulatory compliance regarding security?

Given The Risk of a Catastrophic Hack, Shut it Down!We have no information on what kind of security testing has been done on healthcare.gov. But the factors listed above, along with our security tests, give us significant cause for concern. We believe the Obama Administration should be up front with the public as to what security testing was done, by whom and what the results were. If there is not a very high degree of confidence that healthcare.gov is securely protecting the confidential data entrusted to it by the American people, it needs to be shut down until it can be repaired.